Troubleshooting jira over ssl certificate chain

Christopher Logan October 20, 2014

I'm trying to get JIRA working over ssl, the website comes up but the certificate doesn't show up as trusted. I exported the certificates from my workstation and imported them into the java keystore. How would I go about troubleshooting this issue?

4 answers

0 votes
DavidL October 22, 2014

The keystore alias doesn't matter. It can be anything that you want it to be. Make sure that you add the RootCA and IntermediateCA to cacerts keystore or whatever store you are using to keep your CA certs. You typically don't have to do this since its coming from a known CA, but I have seen that it does fix problems. You can use the cacerts in the JDK that you are using or copy it and add the two certs.

In Tomcat, you would have something like this in your SSL connector section, where the keystore-ident has the key and signed cert for your site

keystoreFile="/jira/.keystore-ident"
keystorePass="changeit"
keyAlias="jira"
trustsoreFile="/jira/cacerts"
truststorePass="changeit"

Christopher Logan October 22, 2014

I don't have the trust store information it should be the same file should I just add that and the alias's?

DavidL October 23, 2014

If you have everything in one file you don't need the truststoreFile and trustorePass. You still need the keyAlias since this tells Tomcat what key to use for encryption. But you should still add the root and intermediate certs for your CA. It is also better if you add the certs in the order of root CA -> intermediate cert -> site cert.

0 votes
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 20, 2014

So you need run the keytool and update the apache tomcat setup file.   Please see the keytool commands in the following previous answer and the information about the slight differences in the apache setup for Linux.   I assume you are already following the setup directions already mentioned in the documentation.  Do not forget to setup the keyalias parameter.

https://answers.atlassian.com/questions/20947

https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

 

Christopher Logan October 21, 2014

Maybe I'm confused about the alias parameter, I had to add two extra certs for my cert chain, when I added them I called them whatever I wanted, for example I called them RootCA and IntermediateCA because I didn't care what they were listed as in my keystore, is that wrong, do they need to be called something specific? I checked tonight, the issue most certainly is the chain is broken but I added the extra certs by exporting the certificates I wanted from windows and importing them into java keystore using the keytool -import -alias RootCA -keystore /home/svccltprdqdsgit/atlassian/application-data/jira.jks -trustcacerts -file RootCA.crt This is what was listed in the jira ssl document.

0 votes
Christopher Logan October 20, 2014

The certificate was signed by my company Windows CA.

Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 20, 2014

Is your environment Linux or Windows?

Christopher Logan October 20, 2014

Its a linux host running Jira, windows is the CA

0 votes
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 20, 2014

How was your certificate created? A self signed certificate is rarely trusted by default.

Suggest an answer

Log in or Sign up to answer